[squid-users] Problem with fail over to parents from H.-Dirk Schmitt on 2009-12-04 (squid-users)

From: H.-Dirk Schmitt <dirk_at_computer42.org>
Date: Fri, 04 Dec 2009 11:56:29 +0100

Hello !

I have problems on a squid3 with parent fail over.

The installation has the following layout.
client --> internal-proxy --> external-proxy (2 instances parent-1 and
parent-2) --> internet

The client is a bussiness application with demand to communicate to
distinct partners on the internet.
The internal proxy implements a white list filtering for allowed urls.
The external proxies are sitting in a network zone with access to the
internet. They are located in 2 different computing centers with
dedicated internet connections.

Everything is well, if both parents are running. The whole traffic is
routed to parent-1 (sitting in the same computing center).

If I shut down parent-1 no fail over to parent-2 happens.
I can track down the problem (debug 15,9) to the following log statements:

2009/12/03 22:36:01.920| getFirstUpParent: returning
192.168.253.17 # should be dead
2009/12/03 22:36:01.920| peerGetAllParents: adding alive parent
192.168.253.17 # should be dead
2009/12/03 22:36:01.920| peerGetAllParents: adding alive parent
192.168.253.18 # running

The access log says that the requests are still handled by
FIRST_UP_PARRENT: TCP_MISS:FIRST_UP_PARENT
The result is a 503: X-Squid-Error: ERR_CONNECT_FAIL 111

The squid.conf follows below.

Has anybody a hint?

Best regards,

H.-Dirk Schmitt

======================================================
squid.conf:
# bind to network interface and port
http_port 192.168.1.xxx:10028
icp_port 0
snmp_port 0

# cache dir
cache_dir ufs /opt/squid/proxy-internal/squid-cache 512 16 255

# log files
cache_access_log /opt/squid/proxy-internal/logs/access.log
cache_log /opt/squid/proxy-internal/logs/cache.log
cache_store_log /opt/squid/proxy-internal/logs/store.log

logfile_rotate 30 # keep 30 files, rotated daily via crontab

# pid file
# not used by amt, generates equivalent pid
pid_filename /opt/squid/proxy-internal/squid.pid

# for logging, error pages, ...
visible_hostname XXXXX320-prod

# access log in common format
# Client Ident - [Timestamp1] "Method URI" Type Size
emulate_httpd_log on

# email in error pages
cache_mgr service-desk_at_bv-zahlungssysteme.de

# -----------------------------------------------
# DEBUGGING OUTPUT
debug_options 15,9

# -----------------------------------------------
# common acl definitions
# acl all src 0.0.0.0/0.0.0.0 --> internaly defined
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 192.168.1.139/255.255.255.255

acl CLIENTS src 192.168.1.139/255.255.255.255
acl CLIENTS src 127.0.0.1/255.255.255.255
acl CLIENTS src 192.168.1.126/32

acl ORG_INTERN dst 192.168.0.0/255.255.0.0 xxx.xxx.xxx.0/255.255.255.0

acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl MANAGER proto cache_object

# disabling caching
cache deny all

# route traffic to bvzs internal destinations ip direct
never_direct allow !ORG_INTERN
always_direct allow ORG_INTERN

# parent caches for external traffic
cache_peer 192.168.253.17 parent xxx28 xxx30 proxy-only no-query
name=parent-1
cache_peer 192.168.253.18 parent xxx28 xxx30 proxy-only no-query
name=parent-2

netdb_ping_period 1 minutes

dead_peer_timeout 10 seconds

# deny proxy access for internal traffic
cache_peer_access parent-1 deny ORG_INTERN
cache_peer_access parent-2 deny ORG_INTERN

# block CONNECT for other as SSL ports
# not possible becaus of mcft protol
#http_access deny CONNECT !SSL_Ports

# cachemgr should be restricted to localhost
http_access allow MANAGER localhost
http_access deny MANAGER

# purge should be restricted to localhost
http_access allow PURGE localhost
http_access deny PURGE

http_access deny !CLIENTS

# whitelist checker
external_acl_type whiteExternal children=10 %DST %PORT
/opt/squid/proxy-internal/etc/squid/whiteExternal
acl whiteExternal external whiteExternal
http_access allow whiteExternal

# url rewriter
url_rewrite_program /opt/squid/proxy-internal/etc/squid/internalMapper
url_rewrite_children 10

# allow replies from all
http_reply_access allow all

-- 
------------------------------------------------------------------------
*
H.-Dirk Schmitt <http://www.computer42.org> *
Dipl. Math.
eMail:/dirk.schmitt_at_computer42.org/
mobile:/+49 177 616 8564/
phone: /+49 2642 99 41 10/
fax: /+49 2642 99 41 15/
Kripper Str. 35, D-53489 Sinzig

Received on Fri Dec 04 2009 - 10:56:38 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST